Root Organization Best Practices

With the 1.18.0 release of the Nexus IQ Server, we've added even more flexibility and control with what we call, The Root Organization.

The Root Organization is a single organization at the top of your hierarchy within the Nexus IQ ecosystem. This can follow the command and control structure of your development teams, but that is not a requirement.

However, this does provide a single point to structure policy. In other words, the ability to manage policy globally.

There are two ways to get started with Root Organization.

First Time Nexus IQ Server Installation

If you have not previously installed the Nexus IQ Server (previous to the x.xx release), a Root Organization will already be created for you. You can read more on the specifics and should follow the general directions provided in the Nexus IQ Book [link needed].

Existing Nexus IQ Server Installation

If you are upgrading from a previous version of the IQ Server, we've worked to make transitioning the the new Root Organization feature as simple as possible. However, we always recommend backing up your IQ Server data before any upgrade.

Once you completed a backup, the next steps will be provided directly in the application. There are two paths:

  • Use an existing organization as a template
  • Start with an empty root organization

As with all things, there are pros and cons to each.

Existing Organization Template Path

The specifics to proceeding with this path are provided in the Organization and Application Management chapter of the Nexus IQ Book. Specifically, checkout the Using a Template Organization Section (you should really read the whole section of Root Organization).

This is the recommended path for those that have already been managing policy. However, here are a few best practice ideas:

    • There Is No Undo: Choose the Template Organization Carefully
      The migration will take the policy elements of the chosen template organization and move them to the root org. This means they won’t be part of that organization anymore, even though it won’t change how the applications are evaluated. However, none of this can be undone.
    • Review All Policy Elements, Across All Organizations and Applications
      A comparison is made based on the template organization’s policy elements, to every policy within your Nexus IQ Server installation. This is by name only. When a match is found the policy element is removed and associated with the Root Organization instead. Because of this, it’s best to review policy elements to make sure there are no unintended changes, and/or the intended changes take place.
    • CAUTION: A matching conflict can occur if the template organization has a policy element with the same name, but different content than a policy element in another organization. IQ Server resolves the conflict by replacing the the other organization’s content with the template’s content when the template’s policy elements are moved to the Root Organization.
    • Clean Up Post Migration to Avoid Duplication and Missing Elements 
      You should include as part of this process a review of all policy elements across all your organizations and applications. 

Empty Root Organization Path

This path can require more work. We also don’t recommend this in cases where you’ve established policy (including various policy elements) across a range of organizations and applications because there is a high likelihood of policy element duplication.

If you do choose to go this route, an audit of your existing organizations and applications, as well as the associated policy elements should take place. Since this is something you should do even if you follow the template organization path, you might consider going that route anyways.

Have more questions? Submit a request


Article is closed for comments.